[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: wip/trustedQSL
Module name: wip
Committed by: makoto
Date: Thu Apr 17 11:57:02 UTC 2014
wip/trustedQSL: Makefile distinfo
(Upstream) Bump version:
--- Mail from Author ---
You have likely read that there is a defect in the OpenSSL software that
can potentially cause information disclosure, including the loss of
private information such as secret keys, passwords, cookies, and so
TQSL uses the OpenSSL software to manage callsign certificates and to
sign logs. Those functions do not use the part of the OpenSSL software
that has the Heartbleed defect.
However, TQSL also uses the OpenSSL software to manage connections to
the lotw.arrl.org site for processing uploads and downloads. Those
functions DO use the part of OpenSSL that's subject to Heartbleed.
The risk posed to TQSL users is quite low. The only way that someone
could Heartbleed to attack a TQSL user would be for the attacker to set
up a rogue copy of lotw.arrl.org and somehow get a TQSL user to go there
rather than the ARRL site. That rogue site would then probe TQSL on the
user's PC, hoping to find their password. This is a pretty unlikely
attack, since the straightforward attack, if I can get you to go to a
fake site, would be to simply ask the user for the password rather than
try the unreliable Heartbleed attacks.
There's no practical attack known against client software like TQSL,
unlike the attacks against web servers that have been demonstrated. Also
note that the ONLY data that would be exposed would be TQSL information,
such as certificate passwords and secret keys. Attacking those would
take a lot of work and make no economic sense.
However, even though this is a low-risk for TQSL users, we're making an
updated beta test release available, TQSL 2.0.2-RC1, which uses the
updated OpenSSL, so that this risk can be eliminated.
This release is targeted for Windows users, since the MacOS version of
TQSL uses a version of OpenSSL which is not vulnerable to Heartbleed and
the Linux builds use the OpenSSL supplied with your Linux distribution,
which should have already been patched.
To generate a diff of this commit:
cvs -z3 rdiff -u -r1.28 -r1.29 wip/trustedQSL/distinfo
cvs -z3 rdiff -u -r1.48 -r1.49 wip/trustedQSL/Makefile
To view a diff of this commit:
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
pkgsrc-wip-cvs mailing list
Main Index |
Thread Index |